As our vehicles become ever more connected, a host of data privacy issues emerge. Automotive, telecoms and technology expert Terence Broderick explains what the risks are and how innovators can best protect their solutions.
One of the biggest changes to vehicles over the next decade will be the amount of data being generated and processed during their usage cycles. While this isn’t exactly new — vehicles have long been running different types of software for everything from SatNavs to fuel management systems — vehicles have still been considered very private spaces.
As vehicles become increasingly connected and move up the levels of autonomy, this vision may not be accurate for much longer. In-vehicle connectivity is no longer the preserve of premium-brand models and is finding its way into vehicles with wider availability.
This brings with it a new issue relating to the protection of personal data — currently near the top of the Europe’s regulatory agenda, thanks to GDPR. The European Data Protection Board (EDPB) has recently published guidelines as part of a public consultation on the processing of personal data in the context of connected vehicles.
While these guidelines are yet to become law, they’re a clear indication of where the data privacy risks lie and what the legal framework will look like.
The EDPB highlights the following risks:
- Increased use of location technologies and their potential use in surveillance of individuals, as well as the misuse of that data.
- Lack of functionality enabling individuals to avail themselves of their data protection and privacy rights during use of a connected vehicle.
- Connected vehicles are part of the internet-of-things and should be treated as such, especially given the potential impact of an incident involving a connected vehicle.
- Difficulty preventing a user to control the flow of their personal data — leading to the onset of ‘function creep’ where personal data is concerned.
- Separation of consent for data processing between owners and users — particularly relevant where car sharing services and ride-hailing is concerned.
- Excessive data collection compared to what is necessary to achieve the purpose.
- General data security — due to the number of peripheral services offered by connected vehicles (e.g. USB, Wi-Fi, RFID).
In view of the risks set out above, the EDPB makes the following recommendations:
- Geolocation data, biometric data and any data which could reveal a criminal offence should be given special attention.
- Technologies should be designed to minimise the collection of personal data.
- Local data processing should be used as much as possible (i.e. processes should be used which minimise the potential for transferring personal data outside of the vehicle).
- Anonymisation and pseudonymisation should be used where data is being transferred outside of the vehicle.
- Tools should provide functionalities that enable individuals to exercise their right to control their data during the entire processing period.
- All traditional methods of increasing security and confidentiality should be used (i.e. encryption and key management).
- The technology should make it easy to both give consent and take it away.
These recommendations provide clear technical direction to those innovating in this space. They set out where technical solutions are needed to address privacy risks when personal data is processed by connected vehicles.
Technical innovation which addresses any of the privacy risks associated with the processing of personal data can manifest in all manner of ways. It may be that a specific method of cryptography can be advantageously used to protect the identity of a driver of a vehicle in order to anonymise that personal data for transmission outside of the vehicle. It may also be that the data storage inside a vehicle can be organised in accordance with a specific configuration which separates personal from non-personal data, so that the personal data can be more effectively protected.
Whichever way you choose to address these problems, we can assist. Patent applications are generally the best way to protect technical innovations and our experienced automotive team has a wealth of experience with CAVs and associated technologies.